lumma | 111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db

Resubmissions

03/01/2025, 18:46 UTC

250103-xey6jaxpct 10

03/01/2025, 18:36 UTC

250103-w9dyeazpck 10

03/01/2025, 18:30 UTC

250103-w5lgpazmfq 10

03/01/2025, 05:20 UTC

250103-f1hl8s1kfs 10

03/01/2025, 05:16 UTC

250103-fx5mlatmck 10

03/01/2025, 05:10 UTC

250103-ftrlkatldn 10

03/01/2025, 05:08 UTC

250103-fsh8sstlap 10

30/12/2024, 05:30 UTC

241230-f67tbazkdz 10

Analysis

max time kernel
1s
max time network
3s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
03/01/2025, 05:20 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe
Size

563KB
MD5

956c90a95e6e640f24d2fa8e03dbb145
SHA1

6ed330ad442c53c05ce48b306be888a97bf8c88c
SHA256

111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db
SHA512

c7051a4881bad5eba5d0039c3cb7f5eb0cfb6506f585dc0985ccb527439768ac5075564be43486ded5cc59d1aa4690a5052399f99108af5500cdeb611f8a6d48
SSDEEP

12288:JYO6Dqzihouxpa+yWz2qRPmZqaKS6gfb3e82flYDXCOEO:OO6DThou2+y02TZqa97b3effyXXt

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://hummskitnj.buzz/api

https://cashfuzysao.buzz/api

https://appliacnesot.buzz/api

https://screwamusresz.buzz/api

https://inherineau.buzz/api

https://scentniej.buzz/api

https://rebuildeso.buzz/api

https://prisonyfork.buzz/api

https://mindhandru.buzz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4512 set thread context of 4164	4512	111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe	79

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 4164	4512	111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe	79
PID 4512 wrote to memory of 4164	4512	111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe	79
PID 4512 wrote to memory of 4164	4512	111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe	79
PID 4512 wrote to memory of 4164	4512	111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe	79
PID 4512 wrote to memory of 4164	4512	111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe	79
PID 4512 wrote to memory of 4164	4512	111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe	79
PID 4512 wrote to memory of 4164	4512	111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe	79
PID 4512 wrote to memory of 4164	4512	111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe	79
PID 4512 wrote to memory of 4164	4512	111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe	79

C:\Users\Admin\AppData\Local\Temp\111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe
"C:\Users\Admin\AppData\Local\Temp\111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Users\Admin\AppData\Local\Temp\111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe
  "C:\Users\Admin\AppData\Local\Temp\111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4164

Network

DNS

mindhandru.buzz

111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe

Remote address:

8.8.8.8:53

Request

mindhandru.buzz

IN A

Response
DNS

prisonyfork.buzz

111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe

Remote address:

8.8.8.8:53

Request

prisonyfork.buzz

IN A

Response
DNS

rebuildeso.buzz

111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe

Remote address:

8.8.8.8:53

Request

rebuildeso.buzz

IN A

Response
DNS

scentniej.buzz

111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe

Remote address:

8.8.8.8:53

Request

scentniej.buzz

IN A

Response
DNS

inherineau.buzz

111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe

Remote address:

8.8.8.8:53

Request

inherineau.buzz

IN A

Response
DNS

screwamusresz.buzz

111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe

Remote address:

8.8.8.8:53

Request

screwamusresz.buzz

IN A

Response
DNS

appliacnesot.buzz

111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe

Remote address:

8.8.8.8:53

Request

appliacnesot.buzz

IN A

Response
DNS

cashfuzysao.buzz

111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe

Remote address:

8.8.8.8:53

Request

cashfuzysao.buzz

IN A

Response
DNS

hummskitnj.buzz

111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe

Remote address:

8.8.8.8:53

Request

hummskitnj.buzz

IN A

Response
DNS

steamcommunity.com

111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe

Remote address:

8.8.8.8:53

Request

steamcommunity.com

IN A

Response

steamcommunity.com

IN A

104.82.234.109
DNS

8.8.8.8.in-addr.arpa

111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

109.234.82.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

109.234.82.104.in-addr.arpa

IN PTR

Response

109.234.82.104.in-addr.arpa

IN PTR

a104-82-234-109deploystaticakamaitechnologiescom

104.82.234.109:443

steamcommunity.com

tls

111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe

1.5kB
33.7kB
19
30

8.8.8.8:53

mindhandru.buzz

dns

111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe

685 B
1.3kB
11
11

DNS Request

mindhandru.buzz

DNS Request

prisonyfork.buzz

DNS Request

rebuildeso.buzz

DNS Request

scentniej.buzz

DNS Request

inherineau.buzz

DNS Request

screwamusresz.buzz

DNS Request

appliacnesot.buzz

DNS Request

cashfuzysao.buzz

DNS Request

hummskitnj.buzz

DNS Request

steamcommunity.com

DNS Response

104.82.234.109

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

109.234.82.104.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

109.234.82.104.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4164-1-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4164-3-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4164-4-0x0000000000BE0000-0x0000000000C70000-memory.dmp

Filesize
576KB

Download
memory/4512-0-0x0000000000C1A000-0x0000000000C1B000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.